[PM-4439] Replace oidc-client-ts with oauth4webapi

[harr1424]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-4439

📔 Objective

Much of the functionality provided by oidc-client-ts was not being used, and has been replaced with oauth4webapi which is better scoped to the functionality we depend upon.

AppSec dependency review

[codecov]

Codecov Report

❌ Patch coverage is 94.44444% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.45%. Comparing base (30f00be) to head (4293581).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...ponents/lastpass/lastpass-direct-import.service.ts	94.44%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #20824      +/-   ##
==========================================
+ Coverage   49.32%   49.45%   +0.13%     
==========================================
  Files        4096     4096              
  Lines      128872   128890      +18     
  Branches    19780    19741      -39     
==========================================
+ Hits        63563    63743     +180     
+ Misses      60597    60434     -163     
- Partials     4712     4713       +1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the replacement of oidc-client-ts with oauth4webapi in the LastPass federated (OIDC) direct-import flow. The new implementation correctly preserves the security properties of the authorization-code flow: PKCE (S256), state validation via validateAuthResponse (CSRF), nonce validation via expectedNonce + requireIdToken (replay), and userinfo subject validation against the ID token sub. The removed dependencies (oidc-client-ts, transitive crypto-js and jwt-decode) have no remaining code references, the dropped passwordGenerationService constructor param is resolved automatically by providedIn: "root" DI, and AppSec dependency review (VULN-591) is referenced. New unit tests cover request building and response processing including the error paths.

Code Review Details

No blocking findings.

Note: libs/importer/jest.config.js switches the importer test suite from the plain ts-jest shared config to jest.config.angular (jest-preset-angular). This drops the documented CI memory-leak mitigations from the old config (isolatedModules: true, maxWorkers: 3 per EC-497) for all importer tests. The Angular preset is appropriate given the suite now exercises Angular code, and CI passes — flagging only for awareness.

Dependency Changes

Package	Change	Ecosystem
oauth4webapi	New (3.8.6)	npm
oidc-client-ts	Removed	npm
crypto-js	Removed (transitive)	npm
jwt-decode	Removed (transitive)	npm

[dereknance]

✅ Platform

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud